1. Field of the Invention
The present invention relates to anti-virus solutions and, in particular, to capturing (intercepting) a function called from a running application, while maintaining the function parameter stack for re-calling the function.
2. Description of the Related Art
Currently, malicious software (malware) has spread on a large scale. In the past, computer viruses were transferred on floppy disks, making it impossible to infect many computers simultaneously. However, with wide accessibility of the Internet, it has become easier to spread malware via malicious scripts on web pages, which often occurs invisibly to a user.
Modern browsers, unlike NCSA Mosaic (the first browser), are capable of displaying not only static pages, but also of providing a full-fledged interface between a user and a modern website. The modern browsers are compliant with various web-standards and technologies, such as CSS3, HTML5, Java, Javascript, RSS, etc. These technologies help browsers display and operate various interactive elements, thus facilitating the data input for the user. This interaction can cause serious flaws in information security.
The problem is that the newly developed standards do not sufficiently address security issues, such as vulnerability to XSS, CSRF and other attacks. One can see this just by typing a search query “html5 security issues.” With web languages (such as, for example, Javascript), their creators put most efforts to make it easy to learn by users and to be efficiently interpreted by a browser, leaving the aspect of information security checks to programmers or to the browsers. This is a major reason why malicious scripts are so widespread in the Internet, and there is a need to detect the malware using existing anti-virus technologies.
Currently, the anti-virus (AV) technologies use the following conventional approach: when receiving a response from a web-server, the AV solution captures (intercepts) the web page and scans it for malicious URLs and scripts (e.g., written in Javascript) using the AV own script emulators. The main drawback of the conventional approach is that the anti-virus emulator (e.g., for Javascript) operates differently from the browser interpreters, which, on top of that, are constantly changed.
Another conventional approach is to intercept functions of the application in question (i.e., a browser), which are called when executing the web page scripts, thus capturing the threads of the browser Javascript interpreter. This approach requires application code analysis—in some cases, by disassembling the code when the application or library functions which are not documented, which is typical in proprietary software. After the unsecure functions are detected, the function capture utilities transfers the necessary parameters (i.e., the parameters used to call the initial function) to an anti-virus application for analysis. The conventional function capture utility can produce any of the following results:                the function parameters have been recognized correctly, and the anti-virus software has not detected anything malicious, thus the initial function can be resumed with all recognized parameters;        the function parameters have been recognized correctly, and the anti-virus software has detected malicious functions, thus the initial function needs to be interrupted;        the function parameters have not been recognized correctly.        
If the function parameters have not been recognized correctly, there is a need to re-call initial function with initial parameters. FIG. 1 illustrates a conventional function parameter stack for calling the functions of a running application. When a function is called, all necessary parameters (see stack frames 100a, 100b) and the return addresses A, B, etc. are stored in the stack. However, in order to determine the parameters used to call the initial function (whose number is unknown) by the function interceptor, the application must be debugged manually. Thus, the main drawback of the conventional approach is that it cannot be used for automated analysis.
A number of variables (of different types, such as strings, binary, integers or floating point variables) are written into the frame 100b. The parameters can be recognized correctly only through manual analysis. Modern scripting languages, such as Javascript, do not have strict typing of parameter data. Thus, different functions (e.g., document.write or document.eval), when called, can transfer a different number of various parameters. Without a strict definition of the data types, 1 Kb of data can be received and not recognized as integers, floating point variables, strings, or any combination of the above. This fact makes analysis of the transferred function parameters even more difficult.
Another conventional approach is to implement a parameter analyzer for each specific function in the application. However, after an update it could still need manual analysis, which makes this approach very labor intensive. For example, U.S. Pat. No. 7,500,230 describes a method of statistical code analysis, which converts low-level stack operations into high-level ones by determining the number of transferred parameters and their types.
Thus, the system needs be able to re-call the initial application function with initial parameters, unless the anti-virus analysis has detected malicious activity and the initial function needs to be interrupted. Accordingly, the interceptor function has to call the initial function with an unknown number of parameters, while the interceptor function itself has the unknown number of parameters as well. The main drawback of this approach is that the captured parameters can be transferred correctly only if their data types are identified, which is not always possible. Therefore, the conventional approaches are ineffective and sometimes even unusable, because the re-calling of the captured function generates errors.
Accordingly, there is a need in the art for a method for re-calling the application captured function while maintaining the function parameter stack.